Opened 7 months ago

Last modified 3 months ago

#27863 assigned New feature

Implement "SameSite" flag for session and CSRF cookies

Reported by: Alex Gaynor Owned by: Paweł Krawczyk
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (http://caniuse.com/#feat=same-site-cookie-attribute), but at 50% global deployment, it'd be very useful for Defense in Depth.

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

I believe simply adding SameSite=lax to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).

Change History (5)

comment:1 Changed 7 months ago by Alex Gaynor

Note: this requires a change to the stdlib cookies module: https://github.com/python/cpython/pull/214 I suspect with some hackery this can be worked around in Django though.

comment:2 Changed 5 months ago by Paweł Krawczyk

Owner: changed from nobody to Paweł Krawczyk
Status: newassigned

This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.

comment:3 Changed 5 months ago by Paweł Krawczyk

Has patch: set

comment:4 Changed 5 months ago by Paweł Krawczyk

Version: 1.10master

comment:5 Changed 5 months ago by Simon Charette

Component: contrib.sessionsHTTP handling
Needs documentation: set
Needs tests: set
Patch needs improvement: set
Summary: Implement "SameSite" flag for session cookiesImplement "SameSite" flag for session and CSRF cookies
Note: See TracTickets for help on using tickets.
Back to Top